Download FGAC PAP User Manual - KTH-SEECS Applied Information Security

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
Transcript 
Extensible Access Control Framework for
Cloud based Applications
User Manual for
FGAC
Policy Administration Point
25-04-2014
Version 1.0
Dr. Muhammad Awais Shibli
[Principal Investigator]
Dr. Arshad Ali
[Co-Principal Investigator]
National ICT R & D
[Funding Organization]
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
1
Contents
Introduction ..................................................................................................................................... 3
Scope ............................................................................................................................................... 3
Document Convention .................................................................................................................... 4
A.
B.
C.
System Learning ..................................................................................................................... 4
SL- 1:
Manage Subject ............................................................................................................ 4
SL- 2:
Manage Resource ....................................................................................................... 17
SL- 3:
Manage Action ........................................................................................................... 30
SL- 4:
Manage Environment ................................................................................................. 43
Policy Creation: .................................................................................................................... 57
PC - 1.
Manage Target: ....................................................................................................... 57
PC - 2.
Manage Condition:.................................................................................................. 68
PC - 3.
Manage Rule: .......................................................................................................... 77
PC - 3.
Manage Policy: ....................................................................................................... 81
PC - 4.
Manage Policy Set: ................................................................................................. 87
XACML Generation ............................................................................................................. 92
PG - 1.
Policy Generation.................................................................................................... 93
PG - 2.
Policy Set Generation ............................................................................................. 96
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
2
Introduction
The purpose of this document is to provide User Manual of Policy Administration Point (PAP)
for Fine Grained Access Control (FGAC) model for the project entitled Extensible Access
Control Framework for Cloud Based Applications. This project broadly aims to provide Access
Control-as-a-Service (ACaaS) for Software-as-a-Service (SaaS) layer applications. It
incorporates variety of reliable and well-known access control models as Cloud based services.
These access control models mainly include Attribute Based Access Control (ABAC), Fine
Grained Access Control (FGAC) and Usage based access CONtrol (UCON) models. Each of
these models is intended to facilitate the users to secure their applications at SaaS layer where the
management and evaluation of access control decisions is externalized and handled for Cloud
consumers. The major components of the framework include Policy Decision Point (PDP),
Policy Enforcement Point (PEP) and Policy Administrator Point (PAP). All of these components
are designed to perform some specific functionality, for-instance PAP, deals with the
management of access control policy; whereas, PDP is responsible for the formulation of
authorization decision by evaluating access control policy. However, PEP acts as a service
gateway between PDP and the requested resource (application or service); it intercepts the
authorization requests and forwards it to the PDP for decision making (permit/deny).
This manual briefly describes how FGAC policies are created using the PAP web interface. It
further includes detailed screenshots illustrating each and every step that the user might take to
complete different processes for all the main phases including „System Learning‟, „Policy
Creation‟ and „Policy Generation'. This manual is intended for system administrators, who may
use this document as the guideline for the generation of access control policy.
Scope
This user manual is focused on FGAC model of the framework that elaborates the use of Policy
Administration Point for creation and management of FGAC policies. It mainly focuses on three
phases of the PAP which includes „System Learning‟, „Policy Creation‟ and „Policy Generation‟.
The „System Learning‟ phase includes the database population with the basic policy attribute
which are Subject, Action, Resource and Environment. It provides a detailed guideline for a
system administrator to add, delete or update the required attributes using i) Manage Subject, ii)
Manage Action, iii) Manage Resource and iv) Manage Environment functions. The second phase
for the PAP, namely „Policy Creation‟, includes the creation of Target, Rule, Policy and
PolicySet. In this regard, the document explains how to create, delete and update the „Policy
Creation‟ attribute. It provides step by step instructions for i) Manage Target, ii) Manage
Condition iii) Manage Rule, iii) Manage Policy and iv) Manage PolicySet functions.
Furthermore, it explains how to use the PAP interfaces for XACML Policy and PolicySet
generation. FGAC brings granularity in the policies through the Rule attribute of XACML that is
reflected in Manage Policy section of this document.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
3
Document Convention
DC- 1: The core XACML tags are highlighted with Capital First Letter.
DC- 2: The PAP interface titles are specified with Capital First Letter and Bold font style
DC- 3: Names of main PAP phases are written in single quotes with Capital First Letter.
A.
System Learning
In this section, we have demonstrated how to create, update and delete the Subject, Action,
Resource and Environment attributes in „System Learning‟ phase.
1. Select the System Learning option from the main interface of PAP as shown in below
figure.
The System Learning interface displays the option for Subject, Action, Resource and
Environment. Accordingly, the below subsection demonstrates the Manage Subject, Manage
Resource, Manage Action and Manage Environment.
SL- 1: Manage Subject
We demonstrate how the system administrator can create, update and delete the Subject in
„System Learning‟ phase. It further consists of three sections namely Create Subject, Update
Subject and Delete Subject.
MS- 1: Create Subject
1. Select the Subject option from dropdown list as depicted below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
4
2. After selecting the Subject option in previous step, the following screen appears to add the
new Subjects. This interface further includes three main portions as highlighted with “a”, “b” and
“c” in the below figure.
a
b
c
a) The upper portion of the Subject interface contains Subject Name, Subject Category
and Subject Description columns. If there are no Subjects in the database, “No records
found” appears, otherwise the table is populated with the existing Subjects of database.
b) The second portion of this interface contains the Subject Attributes tab that enlists the
added attributes for a given Subject. Initially, there are no records in the database and the
“+” button is also disabled.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
5
c) The third portion of the interface consists of Subject Attribute Values tab that gives a
list of different values for a specific attribute. At the start, when no Subject, Attribute and
Attribute Values are added, the “+” sign is disabled.
3. Click on the Add Subject button on the bottom right corner of the below interface.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
6
4. The Create Subject interface opens to add the required Subjects. This interface further has
three main portions to add the Subject , Attributes and Attribute Values as highlighted with
“a”, “b” and “c” in below figure.
a
b
c
a- 1) The first portion of the interface consists of Subject Name, Subject Description and
Subject Category text box. In order to create a Subject, add the required name and
description in text boxes. The required category can be selected from the dropdown list as
shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
7
b-1) The second part of the Create Subject interface provides the “+” button to add the
required attributes for a particular subject.
b-2) The following interface appears to add the required Subject Attribute. It consists of
Attribute Name, Data Type and Attribute Value text boxes. Enter the required
attribute name, its value and select the data type from the given list. Click on the Save
button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
8
b-3) The added attribute is displayed under the Subject Attribute tab as shown in below
figure.
c- 1) The third portion of the Create Subject interface consists of the Subject Attribute
Values to add more than one value for specific attribute. It has a “+” button to add more
values of the selected Attribute. If no Subject Attribute is selected then the warning
message is displayed.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
9
c- 2) When the “+” button is clicked the following window appears on the screen containing
the Attribute Value text box. Enter the desired value and then click on Save button as
depicted in below figure.
c- 3) After saving the Attribute Value, both, the newly added value and the previously
existing value are visible under the Subject Attribute Values tab as shown in below
figure.
5. Now click on the Save button in the Create Subject interface to save the added Subject in
database.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
10
6. The added Subject is displayed on Subject interface with its values under the Subject Name,
Subject Category and Subject Description tabs as given below.
7. Now click on the newly added row of Subject, it gives the Attributes of the Subject under the
Subject Attribute tab as well as the “+” sign is enabled to add more Attributes for the selected
Subject.
8. In order to add more Subject Attributes, click on the “+” button. Add the required values for
Attribute Name, Data Type and Attribute Value and then click on Save button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
11
9. Now two Subject Attributes are visible under the Subject Attribute tab as shown below.
10. In order to view the values for specific Attributes, click on the required Attribute. It enables the
“+” button as shown below. By clicking on “+” button more Attribute Values can be added to
the selected Attribute.
MS- 2:
Update Subject
1. Right click on the specific Subject and then select the Update option form the menu as
depicted in below figure.
2. The following interface appears after selecting the Update option in previous step. You can
update any of the three values which include Subject Name, Subject Description or Subject
Category. After updating the required fields, click on the Save button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
12
3. The updated results are visible on the main Subject interface as shown below.
4. Similarly, any Attribute of the Subject can also be updated. Right click on the required attribute
under the Subject Attribute tab of Subject interface. A dropdown menu appears, select the
Update option.
5. Update Subject Attribute interface displays on the screen. Enter the required name in the
Attribute Name text box and click on Save button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
13
6. Similarly, the values for Attribute can also be updated. Right click on the name of the Attribute
Value under Subject Attribute Value tab. Now select the Update option from the dropdown
list.
7. The following window appears. Enter the new required value for Attribute and then click on
Save button.
MS- 3: Delete Subject
1. Right click on the name of Subject in main Subject interface. Select the Delete option from the
dropdown list.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
14
2. On selecting Delete, a confirmation Dialog box appears, click “Yes” to delete the desired
Subject.
3. The selected Subject is deleted as shown in below figure. The Subject Attributes and Subject
Attribute Values are also deleted for that specific Subject.
4. In order to delete a particular Subject Attribute of a Subject, select the subject and right click
on Attribute desired to be deleted, under Subject Attributes tab on Subject interface. Click on
the Delete option from the dropdown list.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
15
5. Confirm the decision by clicking on Yes in confirmation dialog box.
6. The selected Attribute is deleted along with all of its Attribute Values as shown in below
figure.
7. To delete a particular Attribute Value, right click on that value under the Subject Attribute
Value tab and click on the Delete option.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
16
8. Confirm the decision by selecting Yes in Confirmation dialog.
9. The selected Attribute value is deleted as depicted in below figure.
SL- 2: Manage Resource
This section demonstrates how to create, update and delete the Resource in „System Learning‟
phase.
MR- 1:
Create Resource
1. In order to create Resource, select the Resource option from dropdown list as depicted below.
2. After selecting the Resource option in previous step, the following Resource interface is
displayed to add the new Resource. This interface further includes three main portions as
highlighted with “a”, “b” and “c” in the below figure.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
17
a
b
c
a) The first part of the Resource interface contains Resource Name and Resource
Description Columns.
b) The second portion of this interface contains the Resource Attributes tab that enlists
the added Attributes for a given Resource. Initially, when there are no records, the “+” button
is disabled.
c) The third part of the interface consists of Resource Attribute Values tab that gives a list
of different values for a specific Attribute. At the start, when no Resource, Attribute and
Attribute Values are added, the “+” button is disabled.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
18
3. Click on the Add Resource button on the bottom right corner of the below interface.
4. The Create Resource interface is opened to add the required number of Resources. This
interface further has three main portions to add the Resource, Attributes and Attribute Values,
as highlighted with “a”, “b” and “c” in below figure.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
19
a
b
c
a) The first portion of the interface consists of Resource Name and Resource Description
text boxes. In order to create a Resource, add the required name and description in text
boxes.
b-1) The second part of the Create Resource interface provides the “+” button to add the
required Attributes for a particular Resource.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
20
b-2) When the “+” is clicked, the following interface is displayed to add the required
Resource Attributes. It consists of Attribute Name, Data Type and Attribute Value
text boxes. Enter the required Attribute name, its value and select the data type from
the given list. Finally click on the Save button as shown below.
b-3) The added Attribute is displayed under the Resource Attribute tab as shown in below
figure.
c- 1) The third part of the Create Resource interface consists of the “+” button to add more
than one value for specific Attribute. It is compulsory to select the required Attribute
from the Resource Attributes before adding the values. The warning message is
displayed, if none of the Resource Attributes are selected.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
21
c- 2) Once the “+” button is clicked, the following window appears on the screen
containing the Attribute Value text box. Enter the required value for Attribute and
then click on Save button as shown in below figure.
c- 3)
After saving the Attribute value, the following two values are visible under the
Resource Attribute Values tab as shown in below figure.
5. Now click on the Save button in the Create Resource interface to save the added Resource in
database.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
22
6. The added Resource is displayed on Resource interface with its values under the Resource
Name and Resource Description tabs as shown in below figure.
7. Click on the newly added row of Resource, it displays the Attributes of the Resource under the
Resource Attribute tab as well as the “+” sign is also enabled to add more Attributes for the
selected Resource.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
23
8. On clicking the “+” button following window appears, add the required values for Attribute
Name, Data Type and Attribute Value and then click on Save button.
9. Now two different Resource Attributes are visible under the Resource Attribute tab as shown
in figure below.
10. In order to view the values for specific Attributes, click on the required Attribute. It also
enables the “+” button as shown below. By clicking on “+” button more Attribute Values can
be added to the selected Attribute.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
24
MR- 2:
Update Resource
1. To update an added Resource, right click on that specific Resource in Resource interface and
then select the Update option form the menu as depicted in below figure.
2. The following interface appears after selecting the Update option in previous step. You can
update any of the two values which include Resource Name or Resource Description. After
updating the required fields, click on the Save button.
3. The updated results are visible on the main Resource interface as shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
25
4. Similarly, any Attribute of the Resource can also be updated. Right click on the Attribute under
the Resource Attribute tab of the main Resource interface. A menu appears and now select
the Update option.
5. Update Resource Attribute interface is displayed on the screen. Enter the required name in
the Attribute Name text box and click on Save button.
6. The updated results for the particular Attribute appears under the Resource Attribute tab on
main Resource interface.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
26
7. Similarly, the Values for Attribute can also be updated. Right click on the name of the
Attribute Value under Resource Attribute Value tab. Now select the Update option from the
dropdown list.
8. The following window is appeared. Enter the new required value for Attribute and then click
on Save button.
9. The updated value for the Resource Attribute is displayed instead of the previous value as
shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
27
0
MR- 3:
Delete Resource
1. Right click on the name of that Resource in main Resource interface. Select the Delete option
from the dropdown list.
2. Confirm the deletion by clicking the Yes in the Delete confirmation dialog Box.
3. The selected Resource is deleted as shown in below figure. The Resource Attributes and
Resource Attribute Values are also deleted for that specific Resource.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
28
4. In order to delete an Attribute of particular Resource, right click on that Attribute under
Resource Attribute tab on the main Resource interface. Click on the Delete option from the
dropdown list.
5. Click Yes to confirm the deletion in confirmation dialog box.
6. The selected Attribute is deleted along with all of its Attribute Values as shown in below
figure.
7. To delete a particular Attribute Value, right click on that value under the Resource Attribute
Value tab and click on the Delete option.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
29
8. Click Yes in the confirmation dialog box to confirm deletion.
9.
The selected Attribute value is deleted as shown in below figure.
SL- 3: Manage Action
This section demonstrates how to create, update and delete the Action in „System Learning‟
phase.
MA- 1:
Create Action
1. In order to create Action, select the Action option from dropdown list as depicted below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
30
2. After selecting the Action option in previous step, the following Action interface is opened.
This interface further includes three main portions as highlighted with “a”, “b” and “c” in the
below figure.
a
b
c
a) The upper portion of the Action interface contains Action Name and Action Description
tabs.
b) The second portion of this interface contains the Action Attributes tab that enlists the
added Attributes for a given Action. Initially, when there are no records in the database,
the “+” button is disabled.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
31
c) The third part of the interface consists of Action Attribute Values tab that gives a list of
different values for a specific Attribute. When there is no Action added, the “+” sign is
disabled.
3.
Click on the Add Action button on the bottom right corner of the below interface.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
32
4.
The Create Action interface is opened to add the required number of Actions. This
interface further has three main portions to add the Action , its Attributes and Attribute
Values, as highlighted with “a”, “b” and “c” in figure below.
a
b
c
a- 1) The first portion of the interface consists of Action Name and Action Description text
boxes. Add the required name and description in text boxes as shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
33
b-1) The second portion of the Create Action interface provides the “+” button to add the
required Attributes to the Action.
b-2) The following interface is opened to add the required Action Attributes. It consists of
Attribute Name, Data Type and Attribute Value text boxes. Enter the required
Attribute name, its Value and select the data type from the given list. Finally click on the
Save button as shown below.
b-3) The added Attribute is displayed under the Action Attribute tab as shown in below
figure.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
34
c- 1) The third part of the Create Action interface consists of the “+” button to add more
than one value for specific Attribute. It is compulsory to select the required Attribute
from the Action Attributes before adding the values. If the “+” button is clicked
without selecting any Attribute, a warning message is popped out to first select the
Attribute.
c- 2) On clicking the “+” button, the following window appears on the screen containing the
Attribute Value text box. Enter the required value for Attribute and then click on Save
button as shown in below figure.
c- 3) After saving the Attribute Value, the following two values are visible under the Action
Attribute Values tab as shown in below figure.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
35
5. Now click on the Save button in the Create Action interface to save in database as shown
below.
6. The added Action is displayed on Action interface with its values under the Action Name
and Action Description tabs as shown in below figure.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
36
7. Now click on the newly added line of Action, it displays the Attributes of that Action under
the Action Attribute tab as well as the “+” sign is also enabled to add more Attributes for
the selected Action.
8. On clicking the “+” button following window appears, add the required values for Attribute
Name, Data Type and Attribute Value and then click on Save button.
9. Now two different Action Attributes are visible under the Action Attribute tab as shown in
figure below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
37
10. In order to view the values for specific Attributes, click on the required Attribute. It enables
the “+” button as shown below. By clicking on “+” button more Attribute values can be added
to the selected Attribute.
MA- 2:
Update Action
1. To update an added Action, right click on that specific Action in main Action interface and
then select the Update option form the menu as depicted in below figure.
2. The following interface appears after selecting the Update option in previous step. You can
update any of the two values which include Action Name or Action Description. After
updating the required fields, click on the Save button.
3. The updated results are visible on the main Action interface as shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
38
4. Similarly, any Attribute of the Action can also be updated. Right click on the required
Attribute under the Action Attribute tab of the main Action interface. Select the Update
option from the menu.
5. Update Action Attribute interface is displayed on the screen. Enter the required name in the
Attribute Name text box and click on Save button.
6. The updated results for the particular Attribute appears under the Action Attribute tab on
main Action interface.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
39
7. Similarly, the values for Attribute can also be updated. Right click on the name of the
Attribute Value under Action Attribute Value tab. Now select the Update option from the
menu.
8. The following window is displayed. Enter the new required value for Attribute and then click
on Save button.
9. The updated value for the Action attribute is displayed instead of the previous value as
shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
40
MA- 3:
Delete Action
1. To delete a particular Action, click on the name of that Action in main Action interface.
Select the Delete option from the dropdown list.
2. Click Yes to confirm the deletion in the confirmation dialog box.
3. The selected Action is deleted as shown in below figure. The Action Attributes and Action
Attribute Values is also deleted for that specific Action.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
41
4. In order to delete an Attribute of particular Action, click on that Attribute under Action
Attribute tab on the main Action interface. Click on the Delete option from the menu.
5. Confirm the deletion by clicking on Yes in the confirmation Dialog.
6.
The selected Attribute is deleted along with all of its Attribute values as shown in below
figure.
7. To delete a particular Attribute value, click on that value under the Action Attribute Value
tab and click on the Delete option.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
42
8. Confirm the deletion by selecting Yes in confirmation Dialog box.
9. The selected Attribute value is deleted as shown in below figure.
SL- 4: Manage Environment
In this section, we demonstrate how to create, update and delete the Environment in „System
Learning‟ phase.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
43
ME- 1: Create Environment
1. In order to create Environment, select the Environment option from dropdown list as
depicted below.
2. After selecting the Environment option in previous step, the following Environment
interface is opened. This interface further includes three main portions as highlighted with
“a”, “b” and “c” in the below figure.
3.
a
b
c
a) The upper portion of the Environment interface contains Environment Name and
Environment Description tabs. Initially, when no Environment is added in the database,
“No records found” is displayed.
b) The second portion of this interface contains the Environment Attributes tab that
enlists the added Attributes for a given Environment. Initially, when there are no records
in the database, the “+” button is disabled.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
44
c) The third portion of the interface consists of Environment Attribute Values tab that
gives a list of different values for a specific Attribute. At the start, when no Environment,
Attribute and Attribute values are added, the “+” sign is disabled.
4. Click on the Add Environment button on the bottom right corner of the below interface.
5.
The Create Environment interface is opened to add the required number of Environments.
This interface further has three main portions to add the Environment , its Attributes and
Attribute values, as highlighted with “a”, “b” and “c” in figure below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
45
a
b
c
a-1) The first portion of the interface consists of Environment Name and Environment
Description text boxes. In order to create an Environment, add the required name and
description in text boxes as shown below.
b-1) The second part of the Create Environment interface provides the “+” Button to add
the required Attributes to the added Environment in previous step.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
46
b-2) The following interface is opened to add the required Environment Attributes. It
consists of Attribute Name, Data Type and Attribute Value text boxes. Enter the
required Attribute name, its value and select the data type from the given list. Finally
click on the Save button as shown below.
b-3) The added Attribute is displayed under the Environment Attribute tab as shown in
below figure.
c- 1)
The third portion of the Create Environment interface consists of the “+” button to
add more than one value for specific Attribute. It is compulsory to select the required
Attribute from the Environment Attributes before adding the values. If the Add
Attribute Value button is clicked without selecting any Attribute, a warning message
is popped out to first select the desired Attribute.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
47
c- 2) On clicking the “+” button in Environment Attribute Values, the following window
appears on the screen containing the Attribute Value text box. Enter the required
value for Attribute and then click on Save button as shown in below figure.
c- 3)
After saving the Attribute Value, the following two values are visible under the
Environment Attribute Values tab as shown in below figure.
c- 4)
Now click on the Save button in the Create Environment interface to save the added
Environment in database as shown below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
48
6.
The added Action is displayed on Environment interface with its values under the
Environment Name and Environment Description tabs as shown in below figure.
7. Now click on the newly added line of Environment, it displays the Attributes of that
Environment under the Environment Attribute tab as well as the “+” sign is also enabled to
add more Attributes for the selected Environment.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
49
8. On clicking the “+” button following window appears, add the required values for Attribute
Name, Data Type and Attribute Value and then click on Save button.
9. Now two different Environment Attributes are visible under the Environment Attributes
tab as shown in figure below.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
50
10. In order to view the values for specific Attributes, click on the required Attribute. It also
enables the “+” button as shown below. By clicking on “+” button more Attribute values can
be added to the selected Attribute.
ME- 2:
Update Environment
1. To update an added Environment, right click on that specific Environment in main
Environment interface and then select the Update option form the menu as depicted in
below figure.
2. The following interface appears after selecting the Update option in previous step. You can
update any of the two values which include Environment Name or Environment
Description. After updating the required fields, click on the Save button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
51
3. The updated results are also visible on the main Environment interface as shown below.
4. Similarly, any Attribute of the Environment can also be updated. Click on the required
Attribute under the Environment Attribute tab of the main Environment interface. A
dropdown menu appears on screen. Select the Update option.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
52
5. Update Environment Attribute interface is displayed on the screen. Enter the required
name in the Attribute Name text box and click on save button.
6. The updated results for the particular Attribute appears under the Environment Attribute
tab on main Environment interface.
7. Similarly, the values for Attribute can also be updated. Right click on the name of the
Attribute Value under Environment Attribute Value tab. Now select the Update option
from the dropdown list.
8. The following window appears on screen. Enter the new required value for Attribute and
then click on Save button.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
53
9. The updated value for the Environment Attribute is displayed instead of the previous value as
shown below.
ME- 3:
Delete Environment
1. Right click on the name of that Environment in main Environment interface. Select the
Delete option from the dropdown list.
2. Click Yes in the confirmation dialog box.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
54
3. The selected Environment is deleted as shown in below figure. The Environment Attributes
and Environment Attribute Values are also deleted for that specific Environment.
4. In order to delete an attribute of particular Environment, click on that attribute under
Environment Attribute tab on the main Environment interface. Click on the Delete option
from the dropdown list.
5. Click Yes in confirmation Dialog box.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
55
6. On confirmation the selected Attribute is deleted along with all of its Attribute Values as
shown in below figure.
7. To delete a particular Attribute Value, click on that value under the Environment Attribute
Value tab and click on the Delete option.
8. Click Yes in confirmation Dialog box.
9. The deleted Attribute Value is removed as shown below:
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
56
B. Policy Creation:
In this section, we demonstrate the procedure to perform add, update and delete operations on the
Target, Condition, Rule, Policy and Policy Set attributes in the „Policy Creation‟ phase.
Select Policy Creation option form the main interface of policy administration point.
Clicking on „Policy Creation‟ will display its associated options that are Target, Condition, Rule,
Policy and Policy Set. Accordingly, the four main subsections include Manage Target, Manage
Condition, Manage Rule, Manage Policy and Manage Policy Set.
PC - 1. Manage Target:
Select Target option from the main Policy Creation dropdown-menu to add, update and
delete Targets and its related attributes including Subject, Action, Resource and
Environment.
MT - 1: Create Target
1.
Below is the main Target interface, which is used to add, update and delete Target
attributes. It also provides the provision to associate existing Subject, Resource, Action and
Environment attributes with the new or existing Target attributes.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
57
2.
Initially, if a Target does not exists in the database or if any target is not selected then add
(“+”) option for Available Subjects, Available Resources, Available Actions and
Available Environments is disabled, otherwise it active, and any attribute in a target can be
added by selecting target and clicking on “+” button.
3.
Click on Add Target button, to add new Target attribute into the database.
4.
In the New Target interface, specify Target name, add its description and click Save to
insert the new Target attribute into the database and Cancel to discard the added
information.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
58
5.
Upon successful creation of Target, its name and description appears in the main Target
interface. Selecting any Target from the available list enables the add/update “+” option for
Available Subjects, Available Resources, Available Actions and Available
Environments.
a-1) Click on “+” option to add/update Available Subjects against the selected Target attribute.
In the Subject Value tab, select Subject Description from the available list. As a result of
this selection, list of available Subject Attributes is displayed.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
59
a-2) Click on any of the Subject Attribute from the available list to view its values. As a result,
a complete list of possible values is displayed under Subject Attribute Values tab, select
any particular value and click Next.
a-3) In the Match Id tab, list of possible Match Ids for the previously selected Subject value
is presented. Select any Match Id value from the available list and click Save to add the
selection (Subject Value and Match Id) against the individual Target.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
60
b-1) Click on “+” option to add/update Available Resource against the selected Target
attribute. In the Resource Value tab, select Resource Description from the available list.
As a result of this selection, list of available Resource Attributes is displayed.
b-2) Click on any of the Resource Attribute from the available list to view its values. As a
result, a complete list of possible values is displayed under Resource Attribute Values
tab, select any particular value and click Next.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
61
b-3) In the Match Id tab, list of possible match ids for the previously selected Resource value is
presented. Select any match Id value from the available list and click Save to add the
selection (Resource Value and Match Id) against the individual Target.
c-1) Click on “+” option to add/update Available Action against the selected Target attribute.
In the Action Value tab, select action Description from the available list. As a result of
this selection, list of available Action Attributes is displayed.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
62
c-2) Click on any of the Action Attribute from the available list to view its values. As a result,
a complete list of possible values is displayed under Action Attribute Values tab, select
any particular value and click Next.
c-3) In the Match Id tab, list of possible match ids for the previously selected Action Value is
presented. Select any match Id value from the available list and click Save to add the
selection (Action Value and Match Id) against the individual Target.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
63
d-1) Click on “+” option to add/update Available Environment against the selected Target
attribute. In the Environment Value tab, select Environment Description from the
available list. As a result of this selection, list of available Environment Attributes is
displayed.
d-2) Click on any of the Environment Attribute from the available list to view its values. As a
result, a complete list of possible values is displayed under Environment Attribute
Values tab, select any particular value and click Next.
d-3) In the Match Id tab, list of possible match ids for the previously selected Environment
Value is presented. Select any match Id value from the available list and click Save to add
the selection (Environment Value and Match Id) against the individual Target.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
64
6. After adding all the attributes, select the updated Target from the main Target interface
to view all of its associated Subjects, Actions, Resources and Environments.
MT - 2: Update Target
1. In order to update any existing Target attribute, right click on that specific Target and choose
Update Target from the drop-down menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
65
2. In the Update Target interface, edit any of the previously added Target attribute and click
Save to save the changes into the database.
3. After the successful execution of update function, Target interface displays the list of
updated Target attributes.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
66
MT - 3: Delete Target
1. In order to Delete any of the existing Target, right click on that particular Target and
select Delete from the menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
67
2. Click on Yes to confirm deletion in the confirmation Dialog box:
3. After the successful deletion of selected Target, updated list of available Target
attributes is displayed on the Target interface.
PC - 2. Manage Condition:
In order to manage the Condition, select the Condition from the main Policy Creation
dropdown- menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
68
PC - 1. Create Condition:
1. Below is the main interface of Condition, which is used to create and delete the
Condition.
2. Click on the Add Condition button to create the new Condition.
3. The Add Condition dialog is categorized in three sections:
a) The first section (a) contains the information about Condition i-e, its Description,
b) The second section (b) contains the tree that represents the current state of Condition.
The new Attributes of Conditions are added as nodes in the tree, whenever an Apply,
Designator or Value is added this tree is updated accordingly.
c) The third section (c) contains the controllers to add new attributes (Apply,
Designator, or Value) to the Condition.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
69
b
a
c
4. Provide the Description of the Condition in Condition Description section.
5. Click the Add Apply button to add the Apply in the condition.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
70
6. The Add Apply dialog will open, fill the required information, by selecting the Function
ID, No. of Arguments for the function, Description, and DataType, click Save for saving
the Apply.
7. The newly added Apply is added under the Condition in the tree (section b of
AddCondition interface).
8. Now select the Apply in the Condition tree and Click on Add Apply to create inner
Apply, this apply will accept the Requestor‟s time as an argument.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
71
9. Fill the required information and click Save.
10. The Condition tree is updated accordingly, showing the newly added Apply.
11. Now select the newly added apply, and click on Add Apply button again to add another
Apply.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
72
12. Fill the required information and click Save.
13. The condition tree is updated accordingly, showing the newly added Apply.
14. Now select the newest Apply, click on Add Designator.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
73
15. Select the desired Designator Type, Designator ID and Attribute Designator from the
drop downs and click Save.
16. The tree is updated accordingly, showing the newly added Designator.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
74
17. Now select the second Apply from the tree, and click on Add Value to provide the value
of action.
18. Fill the appropriate information and click Save.
19. Once completed click on Save, to save the condition.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
75
20. Once saved, the newly created Condition appears in the main Condition page.
PC - 2. Delete Condition:
1. For deleting the Condition, right click on the desired condition and select Delete from the
Menu:
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
76
2. Click Yes in the confirmation Dialog box:
3. The condition will be deleted from the database, and will not be available in the main
Condition page.
PC - 3. Manage Rule:
In order to add, update and delete Rule and its corresponding Target attribute, select Rule
from the main Policy Creation dropdown-menu.
MU - 1: Create Rule
1. Below is the main Rule interface, which is used to add, update and delete Rule and its
related attributes.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
77
2. Click on Add Rule button, to add new Rule attribute into the database.
3. In the Create Rule interface, specify Rule Name, Description, its corresponding Effect,
the applicable target and the applied condition and click on Save to insert the new Rule
attribute into the database and Cancel to discard the added information.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
78
4. Upon successful creation of Rule, its Name, Effect, Applicable targets and Description
appears in the main Rule interface
MU - 2: Update Rule
1. In order to update any existing Rule attribute, right click on that specific Rule and choose
Update from the displayed menu
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
79
2. In the Update Rule interface, edit any of the previously added Rule attribute and click
Update to save the changes into the database.
3. After the successful execution of update function, Rule interface displays the list of
updated Rule attributes.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
80
MU - 3: Delete Rule
1. In order to Delete any of the existing Rule, right click on that particular Rule and select
Delete from the menu.
2. Confirm the deletion by selecting Yes in the confirmation dialog box.
3. After the successful deletion of selected Rule, updated list of available Rule attributes is
displayed on the Rule interface.
PC - 3.
Manage Policy:
In order to add, update and delete Policy and its related attribute including Target and Rule,
select Policy from the main Policy Creation dropdown-menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
81
MP - 1: Create Policy
1. Below is the main Policy interface, which is used to add, update and delete Policy and its
related attributes.
2. Click on Add Policy button, to add new Policy attributes into the database.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
82
3. In the Create Policy interface, specify Policy Name, Description, Rule combining
Algorithm along with the desired Target attribute and their corresponding Rules. Also
provide Number of Fine Levels that is the number of restriction desired to be applied on
the Policy. Make sure that Fine Levels provided and number of Rule selected is same.
Click on Save to insert the new Policy attribute into the database.
4. The Policy Name, Description, Rule Combining Algorithm and Applicable Target is
shown in the Policy interface. Selecting any Policy from the available list enables “+”
option that is used for editing the number of fine levels and Applicable Rules on the
selected Policy.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
83
5. After clicking on “+” option to edit Applied Rules or change the Number of Fine
Levels on the selected Policy. In the Add Policy Rule interface, Check/select the Rule
description that you want to add to the selected Policy, or/ and change the Number of
Fine Levels, again make sure that Fine Levels defined and number of selected Rules are
equal and click Add to save the association in the database.
6. If saved, newly added Applicable Rules appear in the main Policy interface against the
selected Policy.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
84
MP - 2: Update Policy
1. In order to update any of the existing Policy, right click on that specific Policy and
choose Update from the displayed menu.
2. In the Update Policy interface, edit any of the previously added Policy attribute and click
Update to save the changes into the database
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
85
3. After the successful execution of update function, Policy interface displays the list of
updated Policy attribute.
MP - 3: Delete Policy
1. In order to Delete any of the existing Policy, right click on that particular Policy and
select Delete from the menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
86
2. Click Yes to confirm the deletion in the confirmation Dialog box.
3. After the successful deletion of selected Policy, updated list of available Policy attribute
is displayed on the Policy interface.
PC - 4.
Manage Policy Set:
In order to add, update and delete Policy Set and its related attribute including Target, Rule and
Policy, select Policy Set from the main Policy Creation dropdown-menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
87
MPS - 1:
Create Policy Set
1. Below is the main Policy Set interface, which is used to add, update and delete Policy Set
and its related attribute.
2. Click on Add Policy Set button, to add new Policy Set attribute into the database.
3. In the Add New Policy Set interface, specify PolicySet Name, Description, Policy
Combining Algorithm along with the applicable Target. It provides the provision to add
applicable Policies and Policy Sets into the newly created Policy Set. Click Save to insert
the new Policy Set attribute into the database.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
88
4. After the successful creation of PolicySet, newly added Policy Set with all of its related
attributes will be displayed in the main PolicySet interface. Selecting any Policy Set from
the available list enables the add/update “+” option for Applicable Policy Sets and
Applicable Policies.
a) Click on “+” option to update the Sub PolicySets attribute against any selected Policy
Set.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
89
b) Click on “+” option to update the Sub Policy attribute against any selected Policy Set.
5. If saved successfully, newly added Policy Set with Applicable Policies will be displayed
in the main Policy Set interface against the selected Policy Set.
MPS - 2:
Update Policy Set
1. In order to update any of the existing Policy Set, right click on that specific Policy Set
and choose Update from the displayed menu.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
90
2. In the Update Policy Set interface, edit any of the previously added Policy attribute and
click Update to save the changes into the database.
3. After the successful execution of update function, Policy Set interface displays the list of
updated Policy Set attribute.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
91
MPS - 3:
Delete Policy Set
1. To Delete any of the existing Policy Set, right click on the PolicySet to be deleted and
select Delete from the drop down.
2. Confirm the deletion by clicking on Yes in the confirmation delete dialog box.
3. After the successful deletion of selected Policy Set, updated list of available Policy Sets
is displayed in the main Policy Set interface.
C. XACML Generation
This is the final section of this manual. In the following section, we have demonstrated the
generation of XACML based Policy and Policy Set.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
92
If we hover up cursor to the „XACML Generation‟ a dropdown menu will appear showing two
options XACML Policy Generation and XACML Policy Set Generation.
PG - 1. Policy Generation
MPG-1: XACML Policy Generation
1. Click on XACML Policy Generation.
2. Initially, if there are no Policies in the database the message “No records found” is
displayed, otherwise the Description of Policies is shown.
3. All the policies and PolicySet we will be generated in the F: drive. Right now we have
not generated policies or PolicySet therefore; the drive F: is not showing any of it.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
93
4. In the XACML Generation tab, click on the Generate all XACML Policies button to
generate all policies.
5. A dialog box will pop up showing that all Policies have been generated.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
94
6. In the following figure we can see that our F: drive has the Policy files that are just been
generated file.
MPG-2: XACML Policy View:
1. For viewing any generated Policy, select the Policy.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
95
2. Click on View XACML Policy button to view the Policy.
3.
After clicking, the selected Policy will be opened in the default XML viewer:
PG - 2. Policy Set Generation
MPSG-1:
XACML Policy Set Generation:
1. Click on XACML Policy Set Generation.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
96
2. Initially, if there is no Policy Set in the database the message “No records found” is
displayed, otherwise the Description of Policies is shown.
3. All the Policies and PolicySet we will be generated in the F: drive. Right now we have not
generated policies or PolicySet therefore; the drive F: is only showing generated Policies.
4. Click on the Generate all XACML Policies button to generate all policies.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
97
5. A dialog box will pop up showing that all Policy Sets have been generated.
6. In the following snapshot, we can see that the newly generated Policy Sets is stored in the
F: drive.
MPSG-2: XACML Policy Set View:
1. For viewing any generated Policy, select the Policy.
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
98
2. Click on View XACML Policy Set button to view the Policy.
3. After clicking, the selected Policy Set will be opened in the default XML viewer:
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
99
Extensible Access Control Framework for Cloud based Applications
KTH-SEECS Applied Information Security Lab, NUST-SEECS, H-12 Sector, Islamabad, Pakistan.
Tel: 051-90852164, Fax: 051-8317363, Website: http://ais.seecs.nust.edu.pk/project
100
Related documents
User Manual for ABAC Policy Administration Point - KTH
User Manual for ABAC Policy Administration Point - KTH
soundmachines - Analogue Haven
soundmachines - Analogue Haven
Security in VPH-Share - the VPH
Security in VPH-Share - the VPH
Acesonic BDK-2000 Karaoke Machine User Manual
Acesonic BDK-2000 Karaoke Machine User Manual
View/Open - Oregon State University
View/Open - Oregon State University
Red Hat Certificate System 8.1 Agents Guide
Red Hat Certificate System 8.1 Agents Guide
CAT LEHE4651-04 User's Manual
CAT LEHE4651-04 User's Manual
Acesonic BDK-2000 User`s manual
Acesonic BDK-2000 User`s manual
IT-Seminar ORACLE Troubleshooting Workshop Zielgruppe Ziel des
IT-Seminar ORACLE Troubleshooting Workshop Zielgruppe Ziel des
HD Mini Pattern Signal Generator
HD Mini Pattern Signal Generator
Standalone Server User Guide Table of Contents
Standalone Server User Guide Table of Contents
Grid4All Security User's Manual, Release 0.6
Grid4All Security User's Manual, Release 0.6
On the Decidability of the Safety Problem for Access Control Policies
On the Decidability of the Safety Problem for Access Control Policies
D3.3.1 eAuthorisation architecture and platform
D3.3.1 eAuthorisation architecture and platform
Generac MPSG350 User's Manual
Generac MPSG350 User's Manual
Tech Tips – What You Need to Know About EtherNet/IP Compatible
Tech Tips – What You Need to Know About EtherNet/IP Compatible
LMS User Manual Getting Started with LMS
LMS User Manual Getting Started with LMS
Kernel for Word
Kernel for Word
User`s Guide - Kernel Data Recovery
User`s Guide - Kernel Data Recovery
User`s Guide - Kernel Data Recovery
User`s Guide - Kernel Data Recovery
User Manual
User Manual
User`s Guide
User`s Guide